The Changing Face of Business Risk

1
The Changing Face of Business Risk
University of Houston Information Systems
Research Center Dan Starta (Dan.Starta_at_ATKearney
.Com)
February 2002
2
Executive Summary

• The recent terrorist attacks on the US has
  re-focused business leaders and IT managers on
  business continuance, risk management and
  disaster recovery
• The financial impact of disaster and security
  events run into the billions of dollars each year
  with greater than 90 of firms being impacted
• Business Continuity and Security (BCS) will
  continue as an executive focal point in the
  foreseeable future
• Most enterprises have underinvested in Business
  Continuity and Security and will be forced to
  funnel increased funds into enhancing these areas
• Investment is now expected to triple between 2000
  and 2005
• Strategic BCS Planning enables organizations to
  avoid the pitfalls of overspending, protect the
  business and potentially enable new sources value
• BCS should be a business driven initiative IT
  is only part of the solution
• A one size fits all approach to BCS will
  overprotect non-critical assets and leave core
  business processes under protected
• As BCS spend grows smart investment can reduce
  costs while increasing protection to critical
  aspects of the business
• The renewed focus on BCS will accelerate the
  development of new technology enablers that have
  additional value potential for enterprise
  operations, customers and stakeholders

3
Topics for Today

• The Landscape of Risk
• Business Continuity and Security Planning
• The Value of Planning
• Approach

4
The Landscape of Risk
5
Our world is changing and creating new,
unanticipated risks for businesses and technology
Businesses
People
Countries
6
In the last ten years, the risk profile of
businesses has changed considerably
1900
1850
1950
1970
1990
2000
1980
Timeline(not to scale)
New risk profiles
Natural Disasters
Change in weather patterns caused by global
warming
More frequent catastrophic weather events El
Nino floods, earthquakes, hurricane
Industrialization increases population density
Business Climate
Larger more concentrated targets
Increased concentration in industries
Global free trade zones (WTO, NAFTA, EU)
Economies of scale begin to be realized through
centralized efficient manufacturing processes
Pervasive Technology
Increased connectivity enabled by the Internet
First commercially available computers
Information Target
Greater risk of independent threats
Political and Economic Unrest
End of Cold War
2nd and 3rd world political unrest
Bio Technologies
Fear of the unknown
Emergence of bio-technology
Terrorists begin to use bio-technology weapons
7
Reported Source of Computer Attacks 1997-2001
Percentage of Respondents
Foreign Governments
Foreign Corporations
US Corporations
Hackers
Insiders
Source Computer Security Institute
8
Worldwide economic damage caused by computer
viruses at peak distribution
Millions of US
1990 Jerusalem
1995 Concept
1999 Melissa
2000 Love Bug
Source Richard Power, Tangled Web
9
A majority of US citizens believe that
corporations are too powerful for the good of the
country
Are US corporations too powerful?
No Opinion 7
Disagree 30
Agree 63
Source ABC News
10
Most industries fall into likely target
categories for disruptive threat
Targets for Disruptive Threat
Core Producers Automotive Consumer
Products Healthcare High Technology Pharmaceutical
s Process Industries
Visibility Entertainment Gaming Leisure Media Spo
rts
Infrastructure Oil Gas Telecommunications Trans
portation Utilities
11
Business Continuity Security Planning is the
response to threats, their impact and reaction
Threats
Potential Impacts
Reaction
Cost Increases Revenue Reduction New
Opportunities
Disasters
Regulatory
Cyber
Customer Demand
Operations
Shareholder Value
Business Continuity Security Planning
Risk Mitigation
Event Recovery
Cost Management
New Opportunities
12
Business Continuity Security Planning
13
Business Continuity Corporate Security can serve
to protect the operations, assets and the brand
of the enterprise
Definitions
Objectives

• Operations
• Continuity of critical operations
• Minimize service interruptions
• Ensure resumption of normal services
• Assets
• Preserve information assets
• Minimize financial loss
• Reduce risk profile
• Ensure staff safety
• Brand
• Maintain public / customer confidence

Business Continuity Process of developing
proactive arrangements and procedures that enable
an organization to respond to an event in such a
manner that critical business functions continue
without interruption or essential change
Corporate Security Preventative actions that
minimize threats and mitigate risks to physical
and virtual assets that are critical to ongoing
operations
14
As the level of technology, partnering and
operational sophistication have increased so
have points of risk and failure across the
business

• Traditional business operations has become
  increasingly complex and susceptible to failure
• System protection has typically not kept pace
  with business criticality
• External connectivity and devices continue to
  proliferate and provide a point of entry for
  disruption

Operational Business Model
Critical Administrative
Legall
Finance
HR
Training Center
Customers
Sales
Warehouse
Procurement
Supplier
Partner
Inventory Systems
Warehouse Logistics
Sales Systems
Infrastructure
POS Devices
Portable Devices
Web Access
15
Current threats and trends are increasing the
focus and need for a robust business continuity
plan

• Significant Trends
• Evolution of the extended enterprise
• Mergers, Consolidation and Bankruptcy
• Increasing Globalization
• Dependency on information
• Pervasive technology
• Internet and public access to systems
• Refinement of e-business regulatory environment
• Self-service of the customer

• Typical Threats
• Natural Disasters
• Fires
• Floods
• Tornadoes
• Hurricanes
• Earthquakes
• Ice / Snow
• Manmade Threats
• Hackers
• Viruses
• Data integrity
• Digital signatures
• Legal / regulatory issues around data disruption
• Terrorism

16
Business leaders and IT managers have renewed
their focus on business continuance, risk
management and disaster recovery

• Greater than 90 of firms are affected
• the financial impact of disaster and security
  events run into the billions of dollars
• Most enterprises have underinvested
• Additional budget will be forced to funnel into
  enhancing these areas in the coming years
• Investment is now expected to triple between 2000
  and 2005

17
Business Continuity and Corporate Security should
focus on answering the tough questions

• Protection and Risk
• Is my business at risk? Where?
• Can problems in my partners or customers put me
  at risk?
• How do I protect my business when I dont know
  what to protect?
• How much protection is enough?
• Cost
• How much will it cost When can I stop spending?
• Survival
• If a disruption does occur will my business
  continue to operate? And survive?
• Will you know what to do if a disruption does
  occur?

18
The Value of Planning
19
A fundamental issue in BCSP is understanding the
balance between costs, likelihood of a disruption
and business impact
Disruption Occurs

• Likelihood
• Magnitude

Event
Recovery Cost
Resume Ops

• Recovery Performance
• Time to Recover
• Scope of Recovery
• Crisis Management

Protection Investment
Normal Ops

• Prevention / Preparation
• Plan and response development
• Scope of protection
• Ongoing Incremental Expense

• Risk / Impact Profile
• Service Requirements

Business Impact

• Lost Revenue
• Customer / Partner Confidence
• Regulatory / Legal Issues

20
By preventing risk through mitigation or by
preparing for interruption you can lower the
business risk profile
Risk Profile
High Impact High Risk
Reduces the likelihood of risk by proactively
enhancing protection or redundancy
Prevention
Business Impact
Preparation
Reduces the business impact by providing recovery
options in the event of disruption
Likelihood of Risk
21
Keys to achieving value from a Business
Continuity and Security Plan

• Develop a plan and implement priority changes
• With no tested plan 40 fail immediately, 8
  survive 5 years
• Cybercrime increased by a factor of 6 in the last
  4 years
• Prevent and mitigate problems in critical areas
• Design business operations with interruptions in
  mind
• Develop alternatives and redundancy where
  appropriate
• Increase Preparedness Reaction
• People must recognize the signals that failure
  is occurring
• Training is key as people must know how to react
• Plan development and crisis management
  preparedness are first steps
• Communication and senior management support are
  key factors

22
Approach
23
Our approach examines the critical elements of
risk and the value of business continuity to
develop a balanced approach to preparedness
Business Continuity Program Management
Plan Development
Risk and Business Impact Analysis
Plan Implementation
Plan Testing
Extended Enterprise Preparedness
Security plan
Assess strategic value of business continuity
appropriate investment
Develop a pragmatic approach to preparedness and
change
Validate and approve the plan
Deploy the plan
24
An initial assessment phase will result in an
evolved understanding by the firms leaders of
the strategic value of business continuity and
security
Risk and Business Impact Analysis (6-8 Weeks)
Obligations Dependencies
Business Impact Analysis
Solution Strategy Report

• Assess customer, partner and supplier business
  obligation dependencies
• Review existing agreements
• Assess regulatory requirements

• Quantified impact
• Interdependencies
• Prioritized functions

Current Readiness
Prioritized Mission Critical Business Processes
Strategic Priorities

• Current readiness
• Future state
• Business Case
• Improvement recommendations
• Required continuity plans

• Executive / leadership workshops

• Review existing business continuity plans
• Assess current plans
• Determine initial gaps

• Map strategic priorities to processes
• Identify mission critical processes
• Prioritize critical processes
• Determine components and dependencies

Risk Assessment Mission Critical Business
Processes
Alternate Solution Selection

• Identify risk elements
• Assess impact and likelihood of risk

• Identify alternative methods for continuing
  critical functions
• Assess strategic alternatives

25
A mix of business and technical resources are
required to develop a comprehensive approach to
BCSP that focuses on business value
Business Continuity Program Management
Plan Development
Plan Implementation
Plan Testing
Risk and Business Impact Analysis
Extended Enterprise Preparedness
Security plan
Business Focus
Technical Focus

• Business driven approach to business continuity
  and security
• Combination of strategy, operations and
  technology expertise
• Explore areas of privacy, security, fraud and
  risk management
• Adopt a Life-cycle approach providing protection
  from ever-changing threats and vulnerabilities
• Imbed business continuity into new process and
  technology design